This is not new at all in so much as the attack vector is completely unchanged and (is) in no way "new" in any fashion whatsoever from past malware for OS X.

If someone on any operating system/platform uses a software package that if not in whole, in large parts is used to illegally distribute and share illegally-obtained items (software, movies, etc.) and downloads an installer and runs it and supplies their credentials, in that case you can put anything you want on their system. That's the problem with social-engineering based malware. It's not even a virus (can't propagate itself without user action). When people will run an installer from an untrusted (nay, *should* be seen as *suspect* !) source, all bets are off.

I suggest that first and foremost that (IT admins) should not exempt your users (Mac or PC) from your acceptable network usage policies. And that should include company-owned assets used offsite. And should include non-company assets that your company is going to pay to support.